Ads displaying as code when all scripts are allowed

[Bush Hayvers]

I have NoScript 2.6.9.6 installed on Firefox 34.0 and it is stopping adverts from loading on http://superbestfriendsplay.com despite being set to allow everything on the page, and the page itself being in the whitelist. They display like this http://i.imgur.com/eutzTZg.jpg instead. This has only started happening in the last few days. Disabling NoScript entirely brings the adverts back, so I know it isn't AdBlock Plus etc. As far as I can see this is the only site this is happening on.

I'd like to support the guys behind that site, so any help would be much appreciated.

[barbaz]

Confirmed.

Well, I am seeing a lot of XSS messages saying something about sanitised window.name, and a few messages that are nothing but a URL followed by "about:blank"?
Don't know how to get around it (or if doing so would actually let a malicious threat in), sorry.

The actual console output is way way *way* **way** too long to post here - 344KB total!! - so I've uploaded it to [x].

[Thrawn]

That's weird, it looks like NoScript is saying that someone is putting an entire HTML page into window.name.

Maybe it is this insanity? If so, then please leave it blocked for your own safety.

[barbaz]

The actual console output is way way *way* **way** too long to post here - 344KB total!! - so I've uploaded it to

Is there any point to keep that up anymore?

[Thrawn]

A snippet should do:

Code: Select all

[NoScript XSS]: sanitized window.name, "1-0-1;87172;<!doctype html><html><head><style><!--
a:link { color: #ffffff }a:visited { color: #ffffff }a:hover { color: #ffffff }a:active { color: #ffffff }  --></style><script><!--
(function(){var d=this,f=function(a){var b=typeof a;if("object"==b)if(a){if(a instanceof Array)return"array";if(a instanceof Object)return b;var c=Object.prototype.toString.call(a);if("[object Window]"==c)return"object";if("[object Array]"==c||"number"==typeof a.length&&"undefined"!=typeof a.splice&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("splice"))return"array";if("[object Function]"==c||"undefined"!=typeof a.call&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("call"))return"function"}else return"null";else if("function"==b&&"undefined"==typeof a.call)return"object";return b};var g;e:{var h=d.navigator;if(h){var k=h.userAgent;if(k){g=k;break e}}g=""};var l=-1!=g.indexOf("Opera")||-1!=g.indexOf("OPR"),n=-1!=g.indexOf("Trident")||-1!=g.indexOf("MSIE"),p=-1!=g.indexOf("Gecko")&&-1==g.toLowerCase().indexOf("webkit")&&!(-1!=g.indexOf("Trident")||-1!=g.indexOf("MSIE")),q=-1!=g.toLowerCase().indexOf("webkit");(function(){var a="",b;if(l&&d.opera)return a=d.opera.version,"function"==f(a)?a():a;p?b=/rv\:([^\);]+)(\)|;)/:n?b=/\b(?:MSIE|rv)[: ]([^\);]+)(\)|;)/:q&&(b=/WebKit\/(\S+)/);b&&(a=(a=b.exec(g))?a[1]:"");return n&&(b=(b=d.document)?b.documentMode:void 0,b>parseFloat(a))?String(b):a})();var r={};window.ss=function(a){void 0!==r[a]?r[a]++:r[a]=1;var b=document.getElementById(a),c=r[a];if(window.css)css(a,"nm",c,void 0,void 0);else if(b){a=b.href;var e=a.indexOf("&nm=");if(0>e)c=a+"&nm="+c;else var e=e+4,m=a.indexOf("&",e),c=0<=m?a.substring(0,e)+c+a.substring(m):a.substring(0,e)+c;b.href=2E3<c.length?a:c}};})();function su(id) {var a = document.getElementById(id);var b = (new Date()).getTime();if (a && a.myt && b) {var t = b - a.myt;if (window.css) {css(id,'clkt',t);return;}var bi = a.href.indexOf("&clkt=");if (bi > 0) {var c = a.href.substring(0, bi+6); var d = a.href.substring(bi+6, a.href.length);var ei = d.indexOf("&");var r = '';if (ei >= 0)r = d.substring(ei, d.length);a.href = c + t + r; } else {a.href += "&clkt=" + t;}}}(function(){var d=this,g=function(a){var b=typeof a;if("object"==b)if(a){if(a instanceof Array)return"array";if(a instanceof Object)return b;var c=Object.prototype.toString.call(a);if("[object Window]"==c)return"object";if("[object Array]"==c||"number"==typeof a.length&&"undefined"!=typeof a.splice&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("splice"))return"array";if("[object Function]"==c||"undefined"!=typeof a.call&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("call"))return"function"}else return"null";else ...
URL: http://tpc.googlesyndication.com/safeframe/1-0-1/html/container.html#xpc=sf-gdn-exp-2&p=http%3A//superbestfriendsplay.com

http://tpc.googlesyndication.com/safeframe/1-0-1/html/container.html#xpc=sf-gdn-exp-2&p=http%3A//superbestfriendsplay.com